Ensure that your app-tier EC2 instances are using IAM roles to grant the necessary permissions (following the principle of least privilege) to the applications running on these instances. This conformity rule assumes that all AWS resources provisioned in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be known and configured in the rule settings, on your Cloud Conformity account dashboard.
Applications that run on EC2 instances need credentials in order to access other AWS services. An IAM role associated with an app-tier instance dynamically provides these authentication credentials. Multiple benefits are gained when your applications are using IAM roles to sign their API requests with AWS credentials. For example, you don't have to manage credentials anymore as the authorization details provided by the IAM roles are temporary and rotated automatically for you. You can use a single role for multiple EC2 instances within your app tier, manage the role access permissions in one place and allow these to propagate automatically to all associated instances. And you can also restrict which role an IAM user can attach to an app-tier EC2 instance during the launch process in order to stop the user from trying to gain elevated privileges. Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if your app-tier EC2 instances are using IAM roles to sign AWS API requests, perform the following actions:
To attach IAM roles to your running app-tier EC2 instances, you need to re-launch those instances and associate them with the required IAM roles. To create the necessary IAM roles (also known as instance profiles) and attach them to your EC2 instances during the launch process, perform the following actions: